Hackers attempted last week to infect Ukrainian government computer systems with malware hosted on fake websites impersonating legitimate state services.
Ukraine’s computer emergency response team, CERT-UA, attributed the attack to a group called WinterVivern. The group has been active since at least June and includes Russian-speaking members. In addition to its Ukrainian targets, it has also targeted government agencies in Poland, according to a report released Wednesday.
One of the malware variants used by this group, Aperetif, has been known to security researchers since May, and has been used to steal technical information about victims’ computers, such as about the operating system, hardware and software components, and network configuration values.
The recent campaign, however, used Aperetif in a unique way: hackers distributed it through fake websites posing as Ukraine’s Ministry of Foreign Affairs and Poland’s Central Cybercrime Bureau.
To gain access to victims’ devices, the hackers sent out phishing emails to employees of Ukrainian and Polish state organizations with instructions on how to download software that scans computers for viruses after potential Russian cyberattacks.
These emails contained a link to a supposedly legitimate government website where users could download software containing a malicious file. The execution of malicious files mimics the process of scanning computers for viruses, making it potentially hard for victims to detect.
Hackers also placed the malicious file on a fake website rather than in an email attachment to avoid detection, the report said.
CERT-UA said the payloads allowed hackers to take screenshots of the victim’s computer, scan the desktop folder for files with the specified extensions, and exfiltrate user data. A spokesperson for the agency said they could not share details about how many devices were infected or what information was stolen.
This is not the first time WinterVivern has used fake websites to attack users in Ukraine and Poland. In previous campaigns, they lured victims to bogus webpages of Ukraine’s Ministry of Defense, Ukraine’s Security Service, and Polish police.